SoylentNews is people
SoylentNews
Brian Krebs has written a blog post about how Google has been using security keys to neutralize phishing of their employees. It stops the phishing quite well but comes at a high cost. No, not the hardware cost of a security dongle, it's the cost of losing third-party mail applications like Thunderbird and their add-ons like Enigmail.
I have been using Advanced Protection for several months now without any major issues, although it did take me a few tries to get it set up correctly. One frustrating aspect of having it turned on is that it does not allow one to use third-party email applications like Mozilla’s Thunderbird or [others]. I found this frustrating because as far as I can tell there is no integrated solution in Gmail for PGP/OpenGPG email message encryption, and some readers prefer to share news tips this way. Previously, I had used Thunderbird along with a plugin called Enigmail to do that.
(Score: 2, Insightful) by Anonymous Coward on Wednesday July 25 2018, @04:06PM (12 children)
You people are willingly giving up your freedom.
You have to live the world you want to see. Bending over further will just ease Google's penetration.
(Score: 5, Funny) by Anonymous Coward on Wednesday July 25 2018, @04:22PM (5 children)
Hillary? Is that you?
(Score: 2) by VLM on Wednesday July 25 2018, @04:29PM
“Hello all - I may be facing a very interesting situation where I need to strip out a VIP’s (VERY VIP) email address from a bunch of archived email that I have both in a live Exchange mailbox, as well as a PST file. Basically, they don’t want the VIP’s email address exposed to anyone. … Does anyone have experience with something like this, and/or suggestions on how this might be accomplished?”
I still can't believe some brain donor posted that question to Reddit. That's so delicious it had to have been a plant, but sometimes truth is weirder than fiction.
(Score: 0) by Anonymous Coward on Wednesday July 25 2018, @05:09PM (3 children)
Actually, It's Putin with a Hillary mask on.
(Score: 0) by Anonymous Coward on Wednesday July 25 2018, @07:22PM (1 child)
An he would have gotten away with it if it weren't for you meddling kids!
(Score: 2) by bob_super on Thursday July 26 2018, @04:58PM
I must have stopped watching that episode too early. When I last checked, he was still getting away with it.
(Score: 2) by arslan on Thursday July 26 2018, @01:46AM
Wha? Why would Putin make himself more ugly?
(Score: 4, Insightful) by DannyB on Wednesday July 25 2018, @05:12PM (1 child)
I don't believe setting up your own server is good enough.
Email needs to be redesigned from the ground up.
When trying to solve a problem don't ask who suffers from the problem, ask who profits from the problem.
(Score: 2, Insightful) by Anonymous Coward on Wednesday July 25 2018, @05:26PM
At the very least, email already allows for basically arbitrary data to be sent, so you could just use it as a vehicle for some new formulation of message interchange.
However, the current generation of programmers is completely unequipped to produce something that is fundamentally desirable. They're all a bunch of kids who just want to tap into that sweet VC money and ride the latest CoC to virtue-signalling nirvana.
(Score: 3, Informative) by Anonymous Coward on Wednesday July 25 2018, @07:19PM
It's not that hard. And for basic email for a single domain (and single address) Postfix is almost turnkey. You have to configure a few simple settings, then you are done. Granted, in today's world, there is a bit more work to setup domain keys and such, but even that is not hard, and there are plenty of how-to's for setting such up in Postfix.
My personal email's been hosted by me, on my own hardware, since somewhere circa. 1998 or so. I'll never make use of the gmail's of the world.
(Score: 3, Disagree) by richtopia on Thursday July 26 2018, @12:36AM (2 children)
Unfortunately email addresses do not transfer like phone numbers. When I was young I signed up for Gmail addresses for my primary correspondence. Now, after 14 years that email is critical to communication. I have my own domain and personal email, but I have struggled to migrate everyone to a new email address.
Now, if Gmail ever drops IMAP support, I will finally break those ties. I probably would do it today if I didn't need an account with Google Play for work.
(Score: 0) by Anonymous Coward on Thursday July 26 2018, @10:32AM (1 child)
Use email forwarding. Then gmail is essentially just another MTA delivering to your personal mail as final destination.
(Score: 2) by bob_super on Thursday July 26 2018, @05:03PM
It's actually a better solution, because you benefit from Google's spam filters.
Give me a 2018 update, I haven't tried for a while: how much spam do you get every day, after self-hosting for a year or so?
(Score: 0) by Anonymous Coward on Wednesday July 25 2018, @04:18PM
Have you check out Mailvelope? It's been years since I've played with their stuff but they say they support integration into webmail clients including Gmail.
(Score: 3, Interesting) by VLM on Wednesday July 25 2018, @04:26PM (2 children)
I once worked for a place where the regular employees were all up in arms because corporate policy was all email should be assumed scam until proven otherwise and to enforce the IT security training they had other consultants (not me) periodically send phishing emails to all the employees and then discipline employees who did not react per the corporate policy checklist (which I think was forward all phishing to some mailbox, and people who were like "fuck this" and simply deleted the phishing emails were getting written up for violating corporate security policy, which sounds kinda rough).
Anyway, yeah, if google wanted to eliminate phishing, shoving all gmail using victims thru some machine learning to either torture the user with fake phishing into eternity thus keeping them away from real dangerous work, or verifying they're not idiots, would be a very "google" way to do it. Some machine learning algorithm inserts fake phishing to a goog controlled domain and follows up based on your actions to prove you're an idiot or not. Kind of a Gom Jabbar test for email. Actually a real Gom Jabbar would be an effective way to enforce comsec, although knowing corporate HR they'd instead mandate it (womandate it?) for diversity training and bullshit like that.
(Score: 2) by Fnord666 on Wednesday July 25 2018, @07:21PM (1 child)
One thing to point out, at least in the context of this article, is that this only pertains to Google employees, not your everyday GMail user.
(Score: 3, Touché) by All Your Lawn Are Belong To Us on Wednesday July 25 2018, @08:06PM
Wait.
This sig for rent.
(Score: 3, Informative) by darkfeline on Wednesday July 25 2018, @07:30PM (1 child)
But that's factually incorrect. You can generate app passwords for clients like Thunderbird, that don't require 2FA. A long random password is generated once which you can put in whatever client you want. There's no way to retrieve the password again afterward, and you can revoke it if it is lost/compromised. Under a domain account, the domain admin can disable that feature and strictly require 2FA only, but that is at the discretion of the domain admin; Google provides the feature.
Join the SDF Public Access UNIX System today!
(Score: 0) by Anonymous Coward on Wednesday July 25 2018, @08:09PM
Another bonus of app passwords is that Google locks those out if it detects reuse but doesn't lock out your primary account access. You can just go in and change out the password.
(Score: 4, Insightful) by SomeGuy on Wednesday July 25 2018, @08:19PM (3 children)
Nice. First Google tries to destroy the web with https, now they want to destroy e-mail too. Fuck them.
(Score: 3, Interesting) by Spamalope on Wednesday July 25 2018, @11:45PM
Google figures they've got access to phones/email/web/cloud hosting and so HTTPS would only restrict their competition from snooping.
(Score: 2) by c0lo on Thursday July 26 2018, @02:33AM (1 child)
So, yeah, really, Google is on its way to world domination, one employee (or more than one) at a time. Did I get you right?
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 1, Insightful) by Anonymous Coward on Thursday July 26 2018, @08:47AM
Not really. The partially supported 2FA that Google supplies is the same across the board for both their employees and for their useds. Google has not made 2FA mandatory for their useds but strongly recommend it and are steering their useds towards it. The condition for adopting 2FA is giving up access by third-party programs. So it is clear that is the direction they are moving. Notice self-destructing e-mails [soylentnews.org] also require both parties to be using Google's own, proprietary interface. Google is in a strong position, it's not like they have serious competition for "free" e-mail and your average SMB or private citizen aren't likely to be able to find the skill and time to set up their own mail servers, even if the big players weren't dead set on squeezing the small self-hosters out of the market through a variety of means [blogspot.com]. (Sufficiently advanced incompetence is indistinguishable from malice.)
It looks like that when Google get enough traction, they will do away with IMAPS first and later maybe even SMTP. It'd be helpful to see those protocols replaced by newer, better open standards not by something proprietary.